From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: Ricardo Wurmus <rekado@elephly.net>,
Mathieu Othacehe <othacehe@gnu.org>,
31444@debbugs.gnu.org, 31442@debbugs.gnu.org,
zimoun <zimon.toutoune@gmail.com>
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Sat, 09 Sep 2023 18:14:13 -0400 [thread overview]
Message-ID: <871qf7xadm.fsf@gmail.com> (raw)
In-Reply-To: <87jzt04ooe.fsf@gnu.org> ("Ludovic Courtès"'s message of "Fri, 08 Sep 2023 18:25:53 +0200")
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
> Reporting only leaf packages was a limitation, not a goal. The
> limitation stemmed from the fact that, to determine whether a package is
> vulnerable, we need to (1) map its store file name to its package name,
> and (2) map its package name to its CPE name.
>
> We can do #1 via manifests, but only for leaf packages (because there’s
> no metadata available for other store items).
[...]
> There’s been progress since I posted this patch: manifests now include
> provenance info, which means we can map profiles back to package
> definitions! So we could make a proper ‘guix health’ at this stage.
>
> I’d like to say I’ll work on it soon but reality is that I’m a bit
> swamped. Anyhow, I think it remains a useful tool, and whether it’s me
> or someone else working on it, we should probably aim for it at some
> point.
Thanks for the update. It's OK to keep it here if all that is missing
is some extra work to push it to the finish line, so let's keep this one
open.
On a related note sometimes we have WIP kind of work that stays on our
tracker with deeper questions / problems to solve, and I don't think
it's fair for our reviewers to have these linger on for years on the
tracker (they take a lot of time to get familiar with, and would then
require quit more investment to be completed, sometimes with the
original submitter no longer active in the discussion) -- I think for
these situations it's fair to close it. An interested person can
hopefully find these in the archives and resume work on it if they are
so inclined.
--
Thanks,
Maxim
next prev parent reply other threads:[~2023-09-09 22:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-13 22:15 [bug#31444] 'guix health': a tool to report vulnerable packages Ludovic Courtès
2018-05-14 8:06 ` Martin Castillo
2018-05-14 9:07 ` Ludovic Courtès
2018-05-14 16:49 ` Nils Gillmann
2018-05-15 7:24 ` Ludovic Courtès
2020-09-18 22:43 ` zimoun
2020-09-25 16:34 ` Ludovic Courtès
2023-07-21 16:44 ` Maxim Cournoyer
2023-09-08 16:25 ` Ludovic Courtès
2023-09-09 22:14 ` Maxim Cournoyer [this message]
2023-09-13 19:58 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qf7xadm.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=31442@debbugs.gnu.org \
--cc=31444@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=othacehe@gnu.org \
--cc=rekado@elephly.net \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).